version: '2.3'
services:
  log:
    image: goharbor/harbor-log:{{version}}
    container_name: harbor-log
    restart: always
    dns_search: .
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - SETGID
      - SETUID
    volumes:
      - {{log_location}}/:/var/log/docker/:z
      - type: bind
        source: ./common/config/log/logrotate.conf
        target: /etc/logrotate.d/logrotate.conf
      - type: bind
        source: ./common/config/log/rsyslog_docker.conf
        target: /etc/rsyslog.d/rsyslog_docker.conf
    ports:
      - 127.0.0.1:1514:10514
    networks:
      - harbor
  registry:
    image: goharbor/registry-photon:{{reg_version}}
    container_name: registry
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    volumes:
      - {{data_volume}}/registry:/storage:z
      - ./common/config/registry/:/etc/registry/:z
      - type: bind
        source: {{data_volume}}/secret/registry/root.crt
        target: /etc/registry/root.crt
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{% if gcs_keyfile %}
      - type: bind
        source: {{gcs_keyfile}}
        target: /etc/registry/gcs.key
{% endif %}
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.core_crt_path}}
        target: /harbor_cust_cert/core.crt
      - type: bind
        source: {{internal_tls.registry_crt_path}}
        target: /etc/harbor/tls/registry.crt
      - type: bind
        source: {{internal_tls.registry_key_path}}
        target: /etc/harbor/tls/registry.key
{% endif %}
    networks:
      - harbor
    dns_search: .
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registry"
  registryctl:
    image: goharbor/harbor-registryctl:{{version}}
    container_name: registryctl
    env_file:
      - ./common/config/registryctl/env
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    volumes:
      - {{data_volume}}/registry:/storage:z
      - ./common/config/registry/:/etc/registry/:z
      - type: bind
        source: ./common/config/registryctl/config.yml
        target: /etc/registryctl/config.yml
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{% if gcs_keyfile %}
      - type: bind
        source: {{gcs_keyfile}}
        target: /etc/registry/gcs.key
{% endif %}
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.registryctl_crt_path}}
        target: /etc/harbor/ssl/registryctl.crt
      - type: bind
        source: {{internal_tls.registryctl_key_path}}
        target: /etc/harbor/ssl/registryctl.key
{% endif %}
    networks:
      - harbor
    dns_search: .
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registryctl"
{% if external_database == False %}
  postgresql:
    image: goharbor/harbor-db:{{version}}
    container_name: harbor-db
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - SETGID
      - SETUID
    volumes:
      - {{data_volume}}/database:/var/lib/postgresql/data:z
    networks:
      harbor:
  {% if with_notary %}
      harbor-notary:
        aliases:
          - harbor-db
  {% endif %}
    dns_search: .
    env_file:
      - ./common/config/db/env
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "postgresql"
{% endif %}
  core:
    image: goharbor/harbor-core:{{version}}
    container_name: harbor-core
    env_file:
      - ./common/config/core/env
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
    volumes:
      - {{data_volume}}/ca_download/:/etc/core/ca/:z
      - {{data_volume}}/:/data/:z
      - ./common/config/core/certificates/:/etc/core/certificates/:z
      - type: bind
        source: ./common/config/core/app.conf
        target: /etc/core/app.conf
      - type: bind
        source: {{data_volume}}/secret/core/private_key.pem
        target: /etc/core/private_key.pem
      - type: bind
        source: {{data_volume}}/secret/keys/secretkey
        target: /etc/core/key
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{% if uaa_ca_file %}
      - type: bind
        source: {{uaa_ca_file}}
        target: /etc/core/certificates/uaa_ca.pem
{% endif %}
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.core_crt_path}}
        target: /etc/harbor/ssl/core.crt
      - type: bind
        source: {{internal_tls.core_key_path}}
        target: /etc/harbor/ssl/core.key
{% endif %}
    networks:
      harbor:
{% if with_notary %}
      harbor-notary:
{% endif %}
{% if with_chartmuseum %}
      harbor-chartmuseum:
        aliases:
          - harbor-core
{% endif %}
    dns_search: .
    depends_on:
      - log
      - registry
{% if external_redis == False %}
      - redis
{% endif %}
{% if external_database == False %}
      - postgresql
{% endif %}
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "core"
  portal:
    image: goharbor/harbor-portal:{{version}}
    container_name: harbor-portal
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - NET_BIND_SERVICE
    volumes:
      - type: bind
        source: ./common/config/portal/nginx.conf
        target: /etc/nginx/nginx.conf
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.portal_crt_path}}
        target: /etc/harbor/tls/portal.crt
      - type: bind
        source: {{internal_tls.portal_key_path}}
        target: /etc/harbor/tls/portal.key
{% endif %}
    networks:
      - harbor
    dns_search: .
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "portal"

  jobservice:
    image: goharbor/harbor-jobservice:{{version}}
    container_name: harbor-jobservice
    env_file:
      - ./common/config/jobservice/env
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    volumes:
      - {{data_volume}}/job_logs:/var/log/jobs:z
      - type: bind
        source: ./common/config/jobservice/config.yml
        target: /etc/jobservice/config.yml
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.job_service_crt_path}}
        target: /etc/harbor/ssl/job_service.crt
      - type: bind
        source: {{internal_tls.job_service_key_path}}
        target: /etc/harbor/ssl/job_service.key
{% endif %}
    networks:
      - harbor
    dns_search: .
    depends_on:
      - core
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "jobservice"
{% if external_redis == False %}
  redis:
    image: goharbor/redis-photon:{{redis_version}}
    container_name: redis
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    volumes:
      - {{data_volume}}/redis:/var/lib/redis
    networks:
      harbor:
  {% if with_chartmuseum %}
      harbor-chartmuseum:
        aliases:
          - redis
  {% endif %}
    dns_search: .
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "redis"
{% endif %}
  proxy:
    image: goharbor/nginx-photon:{{version}}
    container_name: nginx
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - NET_BIND_SERVICE
    volumes:
      - ./common/config/nginx:/etc/nginx:z
{% if protocol == 'https' %}
      - {{data_volume}}/secret/cert:/etc/cert:z
{% endif %}
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.proxy_crt_path}}
        target: /etc/harbor/tls/proxy.crt
      - type: bind
        source: {{internal_tls.proxy_key_path}}
        target: /etc/harbor/tls/proxy.key
{% endif %}
    networks:
      - harbor
{% if with_notary %}
      - harbor-notary
{% endif %}
    dns_search: .
    ports:
      - {{http_port}}:8080
{% if protocol == 'https' %}
      - {{https_port}}:8443
{% endif %}
{% if metric.enabled %}
      - {{metric.port}}:9090
{% endif %}
{% if with_notary %}
      - 4443:4443
{% endif %}
    depends_on:
      - registry
      - core
      - portal
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy"
{% if with_notary %}
  notary-server:
    image: goharbor/notary-server-photon:{{notary_version}}
    container_name: notary-server
    restart: always
    networks:
      - notary-sig
      - harbor-notary
    dns_search: .
    volumes:
      - ./common/config/notary:/etc/notary:z
      - type: bind
        source: {{data_volume}}/secret/notary/notary-signer-ca.crt
        target: /etc/notary/notary-signer-ca.crt
      - type: bind
        source: {{data_volume}}/secret/registry/root.crt
        target: /etc/notary/root.crt
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.notary_server_crt_path}}
        target: /etc/harbor/ssl/notary_server.crt
      - type: bind
        source: {{internal_tls.notary_server_key_path}}
        target: /etc/harbor/ssl/notary_server.key
{% endif %}
    env_file:
      - ./common/config/notary/server_env
    depends_on:
  {% if external_database == False %}
      - postgresql
  {% endif %}
      - notary-signer
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "notary-server"
  notary-signer:
    image: goharbor/notary-signer-photon:{{notary_version}}
    container_name: notary-signer
    restart: always
    networks:
      harbor-notary:
      notary-sig:
        aliases:
          - notarysigner
    dns_search: .
    volumes:
      - ./common/config/notary:/etc/notary:z
      - type: bind
        source: {{data_volume}}/secret/notary/notary-signer.crt
        target: /etc/notary/notary-signer.crt
      - type: bind
        source: {{data_volume}}/secret/notary/notary-signer.key
        target: /etc/notary/notary-signer.key
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.notary_signer_crt_path}}
        target: /etc/harbor/ssl/notary_signer.crt
      - type: bind
        source: {{internal_tls.notary_signer_key_path}}
        target: /etc/harbor/ssl/notary_signer.key
{% endif %}
    env_file:
      - ./common/config/notary/signer_env
    depends_on:
      - log
  {% if external_database == False %}
      - postgresql
  {% endif %}
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "notary-signer"
{% endif %}
{% if with_trivy %}
  trivy-adapter:
    container_name: trivy-adapter
    image: goharbor/trivy-adapter-photon:{{trivy_adapter_version}}
    restart: always
    cap_drop:
      - ALL
    dns_search: .
    depends_on:
      - log
{% if external_redis == False %}
      - redis
{% endif %}
    networks:
      - harbor
    volumes:
      - type: bind
        source: {{data_volume}}/trivy-adapter/trivy
        target: /home/scanner/.cache/trivy
      - type: bind
        source: {{data_volume}}/trivy-adapter/reports
        target: /home/scanner/.cache/reports
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{% if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.trivy_adapter_crt_path}}
        target: /etc/harbor/ssl/trivy_adapter.crt
      - type: bind
        source: {{internal_tls.trivy_adapter_key_path}}
        target: /etc/harbor/ssl/trivy_adapter.key
{% endif %}
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "trivy-adapter"
    env_file:
      ./common/config/trivy-adapter/env
{% endif %}
{% if with_chartmuseum %}
  chartmuseum:
    container_name: chartmuseum
    image: goharbor/chartmuseum-photon:{{chartmuseum_version}}
    restart: always
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - DAC_OVERRIDE
      - SETGID
      - SETUID
    networks:
      - harbor-chartmuseum
    dns_search: .
    depends_on:
      - log
    volumes:
      - {{data_volume}}/chart_storage:/chart_storage:z
      - ./common/config/chartserver:/etc/chartserver:z
      - type: bind
        source: ./common/config/shared/trust-certificates
        target: /harbor_cust_cert
{%if internal_tls.enabled %}
      - type: bind
        source: {{internal_tls.chartmuseum_crt_path}}
        target: /etc/harbor/ssl/chartmuseum.crt
      - type: bind
        source: {{internal_tls.chartmuseum_key_path}}
        target: /etc/harbor/ssl/chartmuseum.key
{% endif %}
{% if gcs_keyfile %}
      - type: bind
        source: {{gcs_keyfile}}
        target: /etc/chartserver/gcs.key
{% endif %}
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "chartmuseum"
    env_file:
      ./common/config/chartserver/env
{% endif %}
networks:
  harbor:
    external: false
{% if with_notary %}
  harbor-notary:
    external: false
  notary-sig:
    external: false
{% endif %}
{% if with_chartmuseum %}
  harbor-chartmuseum:
    external: false
{% endif %}
